Microsoft Identifies New Tickler Backdoor Used by Iranian Hackers

Experts at Microsoft have discovered that the hacking group Peach Sandstorm, which is linked to Iranian authorities, is using a new backdoor called Tickler in attacks targeting satellite communications, the oil and gas sector, and government agencies in the United States and the United Arab Emirates.

According to Microsoft’s report, Peach Sandstorm has been deploying this multi-stage malware since April 2024. The program collects various network information from infected machines and sends it to the attackers’ command servers.

How Tickler Works

The first sample of Tickler was found in an archive file named “Network Security.zip” alongside two harmless PDF documents. The attack begins by searching the memory for the address of the kernel32.dll library. Then, after decrypting certain strings, the virus reloads the library and launches a legitimate PDF file, “YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf,” as a decoy. Meanwhile, Tickler gathers information about the victim’s network and sends it to a command server via HTTP.

A second Tickler sample has similar functionality. It downloads additional payloads, including legitimate DLL libraries, from the command server. It also establishes persistent communication with the server through a resource created in Azure.

Abuse of Cloud Infrastructure

Microsoft experts found that Peach Sandstorm uses stolen credentials from educational institutions to build its infrastructure in Azure. This allows the hackers to gain legitimate access to cloud resources and use them to deploy command servers.

Ongoing Attacks and Tactics

In addition to using Tickler, Peach Sandstorm continues to attack the education, satellite, defense, and government sectors through password spraying. Analysts note that in April and May 2024, the hackers still used the “go-http-client” user agent, which is characteristic of their previous campaigns.

Interestingly, other Iranian groups, such as Smoke Sandstorm, have also been abusing cloud resources in recent months.

Peach Sandstorm is also known for moving laterally within compromised organizations using the SMB protocol and attempting to install remote access tools like AnyDesk on infected systems. Researchers also observed that during one intrusion against a Middle Eastern satellite operator, Peach Sandstorm used the AD Explorer utility to create a snapshot of Active Directory.

Recommendations for Protection

• Regularly change passwords for accounts that have been attacked.
• Revoke session cookies.
• If a compromised account had system-level privileges, conduct additional analysis.
• Implement conditional access policies in Azure to restrict access based on specific criteria.
• Block outdated protocols that do not support multi-factor authentication.
• Enable block mode in Microsoft Defender for Endpoint to allow the program to automatically block malicious artifacts, even if other antivirus solutions miss them.

Threat Hunting and Detection

Indicators of compromise, such as malicious files and Azure command servers, can help with threat hunting in corporate networks. Microsoft also provides Defender XDR queries to detect related activity. In addition, Microsoft Sentinel offers analytic rules to automatically match IoCs from this report with customer data.